On Wed, 2020-08-05 at 10:45 -0500, Tyler Hicks wrote: > In addition to SELINUX_STATE and SELINUX_POLICY, we should also consider > the proposed LSM_STATE and LSM_POLICY func values but require an "lsm" > rule conditional. > > So the current proposed rules: > > measure func=LSM_STATE > measure func=LSM_POLICY > > Would become: > > measure func=LSM_STATE lsm=selinux > measure func=LSM_POLICY lsm=selinux > > The following rules would be rejected: > > measure func=LSM_STATE > measure func=LSM_POLICY > measure func=LSM_STATE lsm=apparmor > measure func=LSM_POLICY lsm=smack Kees is cleaning up the firmware code which differentiated between how firmware was loaded. There will be a single firmware enumeration. Similarly, the new IMA hook to measure critical state may be placed in multiple places. Is there really a need from a policy perspective for differentiating the source of the critical state being measurind? The data being measured should include some identifying information. I think moving away from the idea that measuring "critical" data should be limited to LSMs, will clarify this. Mimi
